3 Replies Latest reply: Apr 19, 2017 6:50 AM by Chris Hunt RSS

Isilon - SMB share access troubleshooting

Chris Hunt




This test cluster is giving me fits and trying to figure out why I cant seem to access this SMB share I created?  Could it be the directory permissions that stopping me?


Directory Permissions:

[MYCLUSTER]-2# ls -lzed ifs

drwxrwx--x    7 root  wheel  136 Oct  3  2015 ifs

OWNER: user:root

GROUP: group:wheel


0: user:root allow dir_gen_read,dir_gen_write,dir_gen_execute,std_write_dac,delete_child

1: group:wheel allow dir_gen_read,dir_gen_write,dir_gen_execute,delete_child

2: everyone allow dir_gen_execute,dir_read_attr





Share Permissions:

[MYCLUSTER]-2# isi smb share view test$

                                     Share Name: test$

                                           Path: /ifs


                     Client-side Caching Policy: manual

Automatically expand user names or domain names: False

Automatically create home directories for users: False

                                      Browsable: True


Account                   Account Type  Run as Root  Permission Type  Permission


[DOMAINNAME]\Me user                False            allow                   full


Total: 1


          Access Based Enumeration: No

Access Based Enumeration Root Only: No

             Allow Delete Readonly: No

              Allow Execute Always: No

                     Change Notify: norecurse

                Create Permissions: default acl

             Directory Create Mask: 0775

             Directory Create Mode: 0000

                  File Create Mask: 0764

                  File Create Mode: 0100

                    Hide Dot Files: No

                          Host ACL: -

                 Impersonate Guest: never

                  Impersonate User:

                 Mangle Byte Start: 0XED00

                        Mangle Map: 0x01-0x1F:-1, 0x22:-1, 0x2A:-1, 0x3A:-1, 0x3C:-1, 0x3E:-1, 0x3F:-1, 0x5C:-1

                  Ntfs ACL Support: Yes

                           Oplocks: Yes

                      Strict Flush: Yes

                    Strict Locking: No



Everytime I try to access this from my windows workstation I get "Windows cannot access [Server]"





Thank you,

  • 1. Re: Isilon - SMB share access troubleshooting
    Chris Klosterman

    I mean at first glance of course naming it with a dollar sign $ will administratively hide it. But I'm guessing you know that.  Are you trying to access it via \\smartconnectzonename.domain.xyz\test$ and it's not working?  Then odds are pretty good that it's an NTFS permissions issue.  That said your path is /ifs, and NEVER put NTFS ACLs on /ifs, you'll probably break the cluster.  Are you just trying to allow yourself as an administrator to browse the tree?  Then give just your admin account run-as-root rights to the share.  Be extremely careful with how you use this because as the name implies it gives you effectively root access over SMB.  While useful for administrative purposes or for data migrations, it can be a real mess if you ever put that on a user-facing share.

    The other possible issue is an SPN issue.

    'isi auth ads spn check --domain=domain.xyz"

    will show you if you have any SPNs missing.


    Hope it helps,

    Chris Klosterman

    Principal SE, Datadobi


  • 2. Re: Isilon - SMB share access troubleshooting
    Chris Hunt

    Yes, I am intensionally hiding the share.  I am trying to access it via \\[SERVER.DOMAIN.xyz]\test$ and its not working.  I have no plans to add NFTS permissions to /ifs and was hoping I wouldn't have to.  Yes, per the instructions for the Isilon Search tool, I need to give it permissions to access the share for /ifs.  Isilon Search don't require a run-as-root right to perform this task of scanning the entire filesystem. 


    I will verify the SPN isn't an issue and reply to this tomorrow morning.



    Thank you,

  • 3. Re: Isilon - SMB share access troubleshooting
    Chris Hunt

    Ok this is what I got:




    SERVER-2# isi auth ads spn check --domain=DOMAIN.DOMAIN.xyz

    Missing Service Principal Names:






    Additional Service Principal Names:





    SERVER-2# isi auth ads spn list --domain=DOMAIN.DOMAIN.xyz

    SPNs registered for SERVER3$: